Re: IKEv2 ipsec split tunnel not work - Page 2

AndriiD · ‎07-23-2022

Hi everyone.

I need help with Flex VPN configuration on ISR4331 (IOS 16.06.05) in remote access schema - different clients must connect to router and get access to different networks (split tunneling).

VPN clients are Android Strongswan, Linux Strongswan and native Windows 10/11 VPN clients.

I configured IKEv2 VPN with certificate authentication, clients connect correct but they send all traffic to tunnel, every client have acces to every network behind the router and use tunnel like default route even if I set "not use tunnel as default" in client.

My config look like this:

!
aaa new-model
!
aaa authorization network IKE2_AUTHOR_LOCAL local
!
crypto pki trustpoint router
enrollment pkcs12
revocation-check none
rsakeypair router
!
crypto pki certificate map CERT_MAP 10
subject-name co android
!
crypto ikev2 authorization policy IKE2_AUTHOR_POLICY
pool vpn_pool
route set access-list test
!
crypto ikev2 proposal ikev2-proposal
encryption aes-cbc-128
integrity sha1
group 14
!
crypto ikev2 policy ikev2-policy
proposal ikev2-proposal
!
crypto ikev2 profile PROF
match certificate CERT_MAP
identity local address 1.2.3.4
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint router
dpd 120 5 on-demand
nat keepalive 15
aaa authorization group cert list IKE2_AUTHOR_LOCAL IKE2_AUTHOR_POLICY
virtual-template 10
!
no crypto ikev2 http-url cert
!
crypto ipsec transform-set 3DES-MD5 esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile PROF
set transform-set 3DES-MD5
set ikev2-profile PROF
!
interface Loopback172
description Loopback for VPN
ip address 172.16.16.254 255.255.255.0
!
interface Virtual-Template10 type tunnel
ip unnumbered Loopback172
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROF
!
ip local pool vpn_pool 172.16.16.1 172.16.16.128
!
ip access-list standard test
permit 192.168.99.0 0.0.0.255
!

Also I try use "route set interface" and "route set remote/local" and situation the same - split tunneling not work.

Where i have error in configuration?

Thank!

MHM Cisco World · ‎07-24-2022

share the last config

AndriiD · ‎07-24-2022

!
aaa new-model
!
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
!
crypto pki certificate map CERT_MAP 10
subject-name co android
!
crypto ikev2 authorization policy IKE2_AUTHOR_POLICY
pool vpn_pool
route set interface
route set access-list 10
!
crypto ikev2 proposal ikev2-proposal
encryption aes-cbc-128
integrity sha1
group 14
!
crypto ikev2 policy ikev2-policy
proposal ikev2-proposal
!
!
crypto ikev2 profile PROF
match certificate CERT_MAP
identity local address 1.2.3.4
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint router
dpd 120 5 on-demand
nat keepalive 15
aaa authorization group cert list default IKE2_AUTHOR_POLICY
virtual-template 10
!
crypto ipsec transform-set 3DES-MD5 esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile PROF
set transform-set 3DES-MD5
set ikev2-profile PROF
!
access-list 10 permit 192.168.99.0 0.0.0.255
!

Now I can't connect to VPN, in logs next info:

*Jul 24 20:55:21.118: AAA/BIND(000011DC): Bind i/f
*Jul 24 20:57:14.814: AAA/BIND(000011DD): Bind i/f
*Jul 24 20:57:14.815: AAA/AUTHOR (0x11DD): Invalid method list id=0x0

Rob Ingram · ‎07-24-2022

@AndriiD just because a 3rd party VPN client works with the mikrotik VPN server doesn't mean that same VPN client will work the same way with another VPN implementation, such as FlexVPN. Split tunnel is verified to be supported with the AnyConnect client, ensure it works with AnyConnect should be your first step and work from there.

Turn on the ikev2 debugging and confirm what is applied to the session.

AndriiD · ‎08-01-2022

Rob, I test my case with anyconnect client, I get next results:

Anyconnect Linux client - work, after connection routes appers in routing table
Anyconnect Android client - work, after connection routes don't present in routing table (but acl work properly)
Anyconnect Windows client - work, after connection routes appers in routing table

But one thing - this works with local authorization by username/password, and I need certificate authorization.

Piece of config thats work:

crypto ikev2 authorization policy flexvpnra
pool vpn_pool
netmask 255.255.255.0
route set access-list split_route
!
crypto ikev2 profile flexvpnra
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint router
dpd 60 2 on-demand
aaa authentication anyconnect-eap flexvpnra
aaa authorization group anyconnect-eap list flexvpnra flexvpnra
virtual-template 10
anyconnect profile flexvpnra
!
no crypto ikev2 http-url cert
!
crypto vpn anyconnect profile flexvpnra bootflash:/acvpn.xml
!

And one important thing - profile file need to be named like acvpn.xml, if he has other name - anyconnect client stuck on "downloading profile" after connecting.

My question is how I can modify config for clients certificate autorization?

Thank!

AndriiD · ‎07-24-2022

Yes, I know about standart ACL, and I use it.

I try use route set interface and there is no results.

Rob Ingram · ‎07-24-2022

@AndriiD only a standard ACL is supported when setting "route set access-list" on FlexVPN, not an extended ACL.

It's a FlexVPN Remote Access VPN not L2L, so you don't match address under the IPSec profile, it's configured under the IKEv2 authorisation profile - which in the initial post it is. Hence the suggestion that split tunnel is not supported in 3rd party clients. Test it with anyconnect and let us know.

AndriiD · ‎07-26-2022

Somebody have any ideas what I do wrong?

Thanks.

AndriiD · ‎08-10-2022

So, I have silution of my problem.

I have split routes and certificate auth works when use Anyconnect as client software, but when I use Strongswan as client software - I still have default route only ...

So, how I can "block" all clients except Anyconnect?

End version of config:

aaa new-model
!
aaa authorization network IKE2_AUTH local
!
crypto pki certificate map CM_TG_ADMIN 100
issuer-name co ISSUER
subject-name co ADMIN
!
crypto ikev2 authorization policy IKE2_AUTH_POL_ADMIN
pool VPN_POOL
netmask 255.255.255.0
route set access-list ACL_VPN_MGMT_NET
!
crypto ikev2 profile IKE2_PROF_TG_ADMIN
match certificate CM_TG_ADMIN
identity local address 1.2.3.4
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint TRUSTPOINT-CA
dpd 60 2 on-demand
aaa authorization user cert list IKE2_AUTH IKE2_AUTH_POL_ADMIN
virtual-template 10
anyconnect profile AC_PROF
!
no crypto ikev2 http-url cert
!
crypto vpn anyconnect profile AC_PROF bootflash:/acvpn.xml
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROF_TG_ADMIN
set transform-set TS
set ikev2-profile IKE2_PROF_TG_ADMIN
!
interface Loopback172
description Loopback for VPN
ip address 172.16.16.254 255.255.255.0
!
interface Virtual-Template10 type tunnel
ip unnumbered Loopback172
ip mtu 1376
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROF_TG_ADMIN
!
ip local pool VPN_POOL 172.16.16.1 172.16.16.128
!
ip access-list standard ACL_VPN_MGMT_NET
permit 10.10.10.0 0.0.0.255
!

Rob Ingram · ‎08-10-2022

@AndriiD wrote:

So, how I can "block" all clients except Anyconnect?

You can control which clients can connect if you were using RADIUS, which unfortunately you aren't using. Another option is by using an MDM to control the apps.

AndriiD · ‎08-11-2022

Rob, thank you, I will learn about MDM...

But I don't understand why other clients (except anyconnect) don't receive split routes, this is bug?